Neil Turner's Blog

Blogging about technology and randomness since 2002

Intriguing email mystery

Message headers from the emailLast week, I received an email, to my personal address at this domain, apparently from a work colleague in another department – her name was in in the ‘From’ field. It just said ‘hi neil’, and then a link to a web site. It was sent from a Yahoo! email address, so I assumed that my colleague’s account had been accessed by spammers. This happens a lot with Yahoo! and Hotmail accounts, unfortunately, so I sent her an advisory email to her work address to let her know.

As it happens, that wasn’t her Yahoo! account. In fact, she didn’t have a Yahoo! account at all.

I didn’t think much of it and deleted the email. But then today, I had another very similar email, again purporting to be from the same colleague. But the from address was different – an this time. The email headers, however, seemed to valid Yahoo! Mail headers, with an origin IP address from somewhere in the Sudan.

This is perplexing. Although I know this colleague quite well, we’ve never worked in the same department and we have very different surnames. I do have her in my personal contact list though, and I am friends with her on Facebook.

I’m not sure how this could happen. My list is synchronised to Google, but that account is quite well-locked down with two-factor authentication, and I’ve enabled the feature that allows Google to contact me by phone if there is any suspicious account activity. I may try re-setting my application passwords though.

I have a Yahoo! Mail account myself but never use it; any messages received are forwarded to Gmail, and the message I received was through my personal account. Also, my Yahoo! password is more than 20 characters long. As for Facebook, I have two-factor authentication enabled there too, and there are no suspicious sessions.

I wondered whether this was an attempt to install malware through social engineering, but I can’t seem to find evidence of that. The link points to some weight loss quackery site – annoying, but not necessarily malicious. And it wasn’t sent to my work email address. That being said, I’m not so concerned about it using my name in the email, as that’s my email address.

It’s all rather mysterious.

One Comment

  1. I’ve seen exactly the same … genuine contact with a link, sent from a Yahoo! address. This was about two weeks ago, both sent to my wife; one appearing from my father and one from me (!)

    I suspect the addresses have been scraped from one of those email circulars where people forward a funny mail to all their contacts. Still, this was all a little close for comfort so I’m keeping a close eye on my own and my wife’s GMail account activity.